A mechanism for ensuring leadership, business managers, and other stakeholders make risk-informed decisions and fulfill oversight duties
At the end of the day, the ERM process should be regarded as a cycle or feedback loop…meaning, there’s never a definitive end point.
It’s like the four seasons of the year – there’s never an end point, just a continuous loop throughout the year. Fall moves to winter, winter to spring, spring to summer, back around to fall, and the cycle continues as it has done for eons.
In this article, I’m going to dive into the last point in this loop or cycle – risk reporting.
Before going any farther, I want to explain that this primer will not necessarily get into how you should prepare risk reports in your organization. As you’ll see in the upcoming sections, there are a lot of organization and individual-specific factors that go into effective risk reporting.
While there will be some examples below, this article will focus on elements of a solid risk report and considerations based on who your report(s) is intended for.
Without further ado, I want to start by providing you with a definition…
What is risk reporting and why is it important?
Since risk reporting can vary widely from one organization to the next, an exact definition is hard to pin down. However, the COSO ERM Framework (2017) says this about risk reporting:
Reporting supports personnel at all levels to understand the relationships between risk, culture, and performance and to improve decision-making in strategy- and objective-setting, governance, and day-to-day operations.
And as Norman Marks explains in his book World-Class Risk Management (…a source I’ll be referring to more in this article), the management of risks should be an essential part of the day-to-day management and decision-making of an organization. However, it’s important that management and the board “take stock” every so often. That way, so the Board and senior management knows the organization is on track to achieve its objectives.
Besides taking stock, risk reporting is also important from a legal perspective. In times past, a Board didn’t necessarily have to know about a risk, but today, Boards cannot claim they were simply unaware of a risk that ended up becoming a big problem. Board members have an obligation to understand the risks facing an organization and ensure that management is addressing them in the appropriate manner.
Despite the importance of risk reporting, the level of satisfaction with “…the nature and extent of internal reporting of key risk indicators that might be useful for monitoring emerging risks by senior executives” is rather low, according to the 2018 State of Risk Oversight report from NC State University. Over 40% of respondents claim they are “not at all” or “minimally” satisfied with the quality of reporting they receive from their risk personnel.
Why is this?
Two main reasons (don’t worry – I will discuss these in more detail later):
1. The report doesn’t speak to the right audience.
By not understanding the background of the intended recipients or their knowledge of ERM, risk reports are either overwhelming (too detailed) or so high-level that they do not provide any real information.
2. The report is a documentation exercise with no insights.
A report simply providing a list of risks without any real-time insights and perspectives on achieving critical objectives essentially means the risk report is a pretty picture that documents what people already know. Lists of risks are also out-of-date rather quickly since every decision either modifies existing risks or creates new ones.
Risk reporting that simply lists risks is one of several ways that ERM can fall into the dreaded “check-the-box” trap. Board members and executives will eventually begin questioning the value of ERM in this situation.
A true value-add risk report will provide real-time insights and perspectives on risks to objectives. However, having timely information can be challenging in a formal setting, so be cautious about how much time it takes to gather, compile, analyze, and report the information. Organizations with more robust ERM processes use risk reporting as a springboard to further discussions on strategy, mitigation, and more.
General risk reporting tips
Earlier, I briefly mentioned how the needs of a risk report will vary based on the audience. However, there are a few general risk reporting tips to ensure your risk reports are actionable and easy to consume. These tips include:
- Report Structure – However you develop risk reports in your organization, they must be intuitive first and foremost. You shouldn’t have to teach the audience how to read and take action on the report. If you do, the report is too complex and/or too confusing. Also consider the background of the end users – how much do they know about enterprise risk management practices? Do they have more a business, technical, or legal background?
- Risk Terminology – One reason many organizations struggle with risk reporting has to do with the language used in the reports. As I explain here, it’s important for ERM professionals to use language consistent with the enterprise instead of technical terms that only a few will understand. Most users of risk reports will not understand the nuances of risk scoring and other measurements, so this needs to be taken into account.
- Reports need to be actionable – One of the common complaints of risk reporting is that they simply provide a list of risks without any further analysis. As explained by Norman Marks, a list of risks is useful when managing risks, but what users of the report need, especially decision-makers, is to understand risk and its impact on objectives in a cumulative way, not one-by-one. Think more about the root cause(s) of the risk, the effects on business objectives, how pervasive throughout the organization, if there is any room to take more risk, and whether there are any opportunities for the organization if this risk occurs.
Note: Risk aggregation is an advanced way of understanding how multiple risks cumulatively affect objectives, but since most practices likely involve advanced computer modeling, risk aggregation should not be a priority until you have nailed down the risk reporting process for your organization.
These general tips on risk reporting apply regardless of the audience. In the end, it boils down to clarity…any text or visual elements in risk reports have to clear enough for the user to understand them without having to think too much, and then being able to make decisions quickly based on that information.
4 Risk Reporting Audiences – What Reports Should Include
The core factor in how risk reports take shape depends on who the end user is. A risk report for a Board-level committee is going to look much different than one to a risk owner.
For example, risk reporting for the Board will be more “big picture” and focus on risks to the organization achieving its objectives. The structure and detail of risk reports will gradually become more granular or focused on specific risks the further you go down the organizational ladder. And risk reports for regulatory agencies have a host of considerations separate from internal consumers.
Continue reading to learn more about these four audiences and what they need to get from any risk reports.
Board and Board-level Risk Committee
In short, the Board or a Board-level risk committee needs a performance-based report that focuses on achieving objectives. The responsibilities of the board or board-level risk committee are frequently delegated to the Audit Committee.
What is the Board looking for from a risk report? Assurance that the CEO and other executive managers understand risks to objectives and are taking appropriate action to address these risks.
Why? Ensures the Board has the information it needs to understand risks to achieving objectives and fulfill its oversight responsibilities.
What? This report will be high-level and should prompt further discussion on how to proceed, whether that involves mitigation action(s) or a change in strategy.
Most organizations prepare a full report at least annually, but this timeframe means the information needs to be updated right before this report. (Otherwise, information that is 6 months old is useless.)
Respondents to a survey from NC State had a common thread in what their reports included. The bulk of information contained in reports was text-based with graphic/visual elements, such as charts or heat maps playing a supporting role. Visual elements play a role in framing critical issues and showing the level of exposure to top risks.
Here are a couple of examples of heat maps from a prior project. Although I’m providing this example, there are limitations to heat maps I want to discuss in a future post…
The vast majority of respondents also explain that they only report on the top 10 to 15 risks to the enterprise in their Board-level presentations.
I can’t stress this enough: these reports to the Board should be general in nature and only include top risks.
In some cases, the Board may request a follow-up or “deep dive” on any risks of particular concern quarterly or even monthly if the risk is significant enough. This responsibility really rests with business functions in the enterprise if risk is truly embedded throughout the organization. When IT, Marketing, Finance, Legal, or HR executives present to the Board, they should be taking the lead on reporting on key risks and their assessment of those risks.
On the other hand, Board-level risk and/or audit committees will look for full reports from the risk management team, since in many cases, these are the forums where detailed discussions on the path forward will occur. A committee like this will also be performing the oversight function for risk management.
Let’s look at Southwest Airlines for an example. Risk reports for the Board at Southwest have 4 levels of information:
- Proactively identify the biggest risks
- Outline any action plans for these risks (past, present, and future)
- List “accepted” risks that are outside the organization’s control
- Outline the impact these big risks could have on achieving objectives
Executives like the CEO and others will have many of the same risk report requirements as the Board. However, in this case, reports will need to go into a bit more detail, but not so much that executives reading them will be overwhelmed.
In fact, executives rely on ERM staff to vet risks with risk owners and prioritize them according to available info. ERM staff will then provide executives a short list of risks and provide guidance on decisions that need to be made. Components of risk information, such as category, impact/likelihood, velocity and any mitigation activities to date are discussed in these reports.
Risk reports to senior management also need to cover more than 10-15 individual, top-tier risks mentioned above. In order for management to fulfill its responsibilities, they must understand the overall level of risk to an objective. Taken one at a time, a risk may not be a big deal, but when “aggregated” together could present a huge red flag.
(It’s important to note that true “aggregation” is a very advanced topic that shouldn’t be attempted while still developing an ERM process in your organization.)
ERM can also recommend action steps for mitigating risks or modifying strategy based on observations and general knowledge.
In the end, it is management’s responsibility to ensure that appropriate controls and other risk-related activities are in place.
A risk dashboard is one tool executives in more mature ERM programs use to get the information they need to fulfill their responsibilities. Creating a risk dashboard can be done manually using Excel (or a similar tool), however, this is a primary use of risk software. ERM software, of which many options are available, will include indicators on the status of key risks, dependencies, impacts, and how they are being handled. With a quick glance, the executive will be able to see the risk owner, along with a summary chart of top risks, other key risk indicators, and more.
Visual tools like a dashboard, which can also be included on Board-level reports, are a great way for your audience to quickly comprehend data.
One word of caution though – as discussed by Norman Marks, COSO, myself, and other risk thought leaders, organizations should first focus on establishing and refining their processes before jumping into a technology solution. A tool should not dictate the risk process at an organization. Instead, an organization should establish and refine their process for at least a year, then find a tool that supports that process. After all, the software should support the more streamlined management of risks throughout the organization.
There is another way of reporting. That is “informal” reporting. What does informal risk reporting look like? Organizations with a robust ERM process that’s embedded throughout the organization and has strong executive buy-in will seek out the perspective of risk professionals. The on-demand insights, opinions, and perspectives from the risk team is where the real value of ERM can be realized.
The last internal audience for risk reporting will be the middle managers and other personnel on the front lines who actually own the risks, meaning the individual(s) responsible for monitoring and implementing any mitigation actions prescribed by upper management.
Although reports at every level will need to provide actionable information, this is especially important for reports to risk owners.
These reports will also provide the highest level of detail regarding of risk, including key risk indicators. Reports to the risk owners will focus on performance metrics, as well as provide the most up-to-date information on the assessment of all the risks under the individual’s responsibility. This may seem overwhelming to you at first, but it is your responsibility to be both succinct and accurate in reports. Remember to use a combination of text and visual elements.
An example of a good visual element for risk owner reports is a radar chart (available in Excel), which compares risk assessment results to risk tolerance levels.
A key difference is this report is this: instead of using the report to develop or modify strategy, risk owners use information in their reports to plan and budget the day-to-day operations of the organization.
As is the case with Board and senior executive level reports, the format will need to be tailored to the professional background and level of ERM knowledge the end user has.
The last risk reporting audience to mention is any relevant regulatory agencies that require organizations to report on risks. Publicly-traded corporations in the U.S. are required by the Securities and Exchange Commission (SEC) to report top risks. Another example of mandated risk reporting includes the state-level Own Risk Solvency Assessment (ORSA) for U.S. insurance companies or Solvency II reporting in the European Union.
As a former insurance regulator in my home state of Florida, I can attest that any risk reports for a regulator must balance the company’s need to satisfy the regulatory requirement and the regulator’s need to understand the company’s risks. Of course, the insurance company must disclose risks without getting too detailed, which can result in a higher level of scrutiny by the regulators.
At the present time, it’s also unclear how well regulators really understand enterprise risks and can therefore digest information and ask in-depth questions regarding the report.
The SEC’s report, known as the 10-k, isn’t looking for a list risks with detailed assessment information but rather a narrative of the big risks to the organization.
In this case, it’s best to look at others sending reports like this one from Walmart to understand what to include in a 10-k report if your company is required to submit one.
I want to reiterate how risk reporting is really organization-specific. The contents of a report and how it is formatted depends on a variety of factors, including the needs of the users, the professional background and skill sets of the audience and other individual-specific factors. Understanding this about the users of risk reports is critical to ensuring the most helpful reports for facilitating further discussion on risks get produced.
Don’t feel pressured to include certain elements, especially if the organization is not ready for them or if the risk process doesn’t support those elements yet.
And last but not least, you may have guessed this by now…Risk reporting is very fluid. Don’t think for a moment that the way you prepare risk reports will be the same each time.
Just remember that the process and format for risk reporting in your organization is a constantly evolving process.
Risk reporting is a quite in-depth topic, but this primer should provide a good foundation for what you need to consider when developing reports in your organization.
Do Board members and executives in your organization find risk reports helpful in addressing risks to strategic objectives?
Do they provide the guidance you, as the risk professional, need to provide them with the right information in a way that’s helpful to them?
I’m interested to hear your thoughts and experiences on this important topic…simply comment below or join the conversation on LinkedIn to share your perspective or question(s).
And if you’re struggling to develop concise and actionable risk reports for your organization or a regulatory agency, visit my consulting website (Strategic Decision Solutions) to learn more about how I help organizations overcome challenges and ensure long-term success.
Receive our Weekly Blog Updates
Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.